Uh, If I am not mistaken, Port 139 is used for NetBios, hence you have
computers lookng for a Netbios connection on your PC. I also run ZA on my
WIN2K box, and I get this ALL the time from my other PC's on my LAN. As long
as it's internal, and you recognize the IP, it's no biggie. It's when it's
NON-LAN Ip's that you want to be careful, because some pc out there is
trying to locate a share on your PC.
----- Original Message -----
From: "Kurt Hudson" <
kurt@hudlogic.com>
To: <
plug-discuss@lists.plug.phoenix.az.us>
Sent: Friday, April 12, 2002 2:34 PM
Subject: Zone Alarm
> This log shows that your local system has configured for an APIPA range
> address 169.254.x.x and it is trying to communicate with 192.168.200.x
> over port 139, which is the Microsoft end-point mapper. Read this CERT
> article http://www.kb.cert.org/vuls/id/32650
>
> ZoneAlarm Log text:
> type,date,time,source,destination,transport
> FWIN,2002/04/11,10:12:00 -7:00
> GMT,169.254.101.152:4335,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00
> GMT,169.254.101.152:4615,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00
> GMT,169.254.101.152:4618,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00
> GMT,169.254.101.152:4621,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,12:59:47 -7:00
> GMT,169.254.101.152:4995,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,12:59:47 -7:00
> GMT,169.254.101.152:4998,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,16:28:38 -7:00
> GMT,169.254.101.152:3626,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,16:28:38 -7:00
> GMT,169.254.101.152:3632,192.168.200.xxx:139,TCP (flags:S)
>
> As for tools that you can use to monitor such activities, visit:
>
> http://www.sysinternals.com for TCPView for your Windows boxes
>
> Look here for security tools
>
> http://www.cert.org/tech_tips/security_tools.html
> http://216.60.197.200/Help/Sections/Security.htm
> http://ciac.llnl.gov/ciac/ToolsUnixNetSec.html
> http://razor.bindview.com/tools/index.shtml
>
> For a list of Security information that I have been able to compile,
> visit http://www.hudlogic.com/tips.html (security)
>
> I haven't heard of Zone Alarm, so I obviously could use some more links
> on that Security tips location. If you have suggestions, please send
> them.
>
> Kurt Hudson
> kurt@hudlogic.com
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss